Debian has issued advisories on June 19 and 21: https://www.debian.org/security/2020/dsa-4707 https://www.debian.org/security/2020/dsa-4708 The issues are fixed upstream in mutt 1.14.4 and neomutt 20200619.
CC: (none) => jani.valimaa, smelror
Assigning to Jani as the active registered maintainer of this (removed his CC).
Assignee: bugsquad => jani.valimaaCC: jani.valimaa => (none)
Mutt is already fixed in cauldron. Pushed mutt-1.11.4-1.2.mga7 with patches from upstream to core/udpates_testing for mga7. SRPMS: mutt-1.11.4-1.2.mga7 RPMS: mutt-1.11.4-1.2.mga7 mutt-doc-1.11.4-1.2.mga7
Assigning to Stig for neomutt part.
CC: smelror => jani.valimaaAssignee: jani.valimaa => smelror
Commits for neomutt appear to be: https://github.com/neomutt/neomutt/commit/fb013ec666759cb8a9e294347c7b4c1f597639cc https://github.com/neomutt/neomutt/commit/9909cde1f332d2f641c6aec0eb92adf0a150c7e5 https://github.com/neomutt/neomutt/commit/cf3483f485001b170d27299f76b3ffd4c89897a7 https://github.com/neomutt/neomutt/commit/37c98ed320e5e2ba4824d6338b06f564f27aa7ad It looks like the last two are actually post 20200619, so should be added in Cauldron also. Also mutt 1.14.5 is out, so it should be updated in Cauldron.
openSUSE has issued an advisory on June 30: https://lists.opensuse.org/opensuse-updates/2020-06/msg00165.html This fixes an additional issue, CVE-2020-14154, also fixed in 1.14.3. Let's make sure we have that fix for mutt and neomutt too: https://bugzilla.suse.com/show_bug.cgi?id=1172906#c4
Summary: mutt, neomutt new security issues CVE-2020-14093 and CVE-2020-14954 => mutt, neomutt new security issues CVE-2020-14093, CVE-2020-14154, and CVE-2020-14954
Stig-Ørjan, ping! We need you to fix neonutt.
Blocks: (none) => 27232
neomutt split to Bug 27232. Advisory: ======================== Updated mutt packages fix security vulnerabilities: A potential IMAP Man-in-the-Middle attack via a PREAUTH response (CVE-2020-14093). Mutt was ignoring an expired certificate and was proceeding with a connection (CVE-2020-14154). A response injection due to a STARTTLS buffering issue which was affecting IMAP, SMTP, and POP3 (CVE-2020-14954). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14093 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14154 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14954 https://lists.opensuse.org/opensuse-updates/2020-06/msg00165.html ======================== Updated packages in core/updates_testing: ======================== mutt-1.11.4-1.3.mga7 mutt-doc-1.11.4-1.3.mga7 from mutt-1.11.4-1.3.mga7.src.rpm
Assignee: smelror => qa-bugsSource RPM: mutt-1.11.4-1.1.mga7.src.rpm, neomutt-20180716-0.4.mga7.src.rpm => mutt-1.11.4-1.1.mga7.src.rpmSummary: mutt, neomutt new security issues CVE-2020-14093, CVE-2020-14154, and CVE-2020-14954 => mutt new security issues CVE-2020-14093, CVE-2020-14154, and CVE-2020-14954
MGA7-64 Plasma on Lenovo B50 No installation issues. Took the advice from Mike in bug 25909 and run # mutt -f /var/spool/mail/postfix 45 kept, 0 deleted. answering no to the question of creating an acount for root, so I could have a look at the exiwting mails. Works OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 7.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0357.html
Status: NEW => RESOLVEDResolution: (none) => FIXED